Permission denied for the current user to search the Omeka\Api\Adapter\UserAdapter resource

Othman · December 10, 2023, 11:00am

Hi Everyone,

I need to acces the /api/users endpoint on the API, but it doesn’t let me do that and returns
Permission denied for the current user to search the Omeka\Api\Adapter\UserAdapter resource.
Eventhough I am a global admin. Is there a header i should send with this API call, and if so what is that headers name and what is the value I should put in to.

I have been working on this issue for quiet a while now… Is there something I am missing?

tsampoulatidis · December 11, 2023, 8:47am

Hello,
first you need to go to Users > Edit (pencil icon next to your privileged user) > TAB (API Keys) and set a new API key (let’s say 123456 use a secure one obviously).
On save you will presented with

key_identity: ZudzGSGxLTnv0KfvvzXQE6YNmRpEuCTW
key_credential: wUwPVS78K5NAFEprgIBGkEzBvtN281Hb

Then call your REST API using the above like this:
https://<DOMAIN>/api/users/?key_identity=ZudzGSGxLTnv0KfvvzXQE6YNmRpEuCTW &key_credential=wUwPVS78K5NAFEprgIBGkEzBvtN281Hb

Best

Othman · December 11, 2023, 2:48pm

is there a way I can hide this key from my clients? Like when I want to call it and get a specific user how can I hide my key_identity and credential from the clients browser

tsampoulatidis · December 11, 2023, 3:26pm

You should never call the API from the client side (at least those endpoints demanding credentials). The above should be called ALWAYS server-side.

If you are using a client side app (e.g. react) you should implement a proxy service that will hide this from end users. What I do, using next.js is to create endpoints under/api/ and then call these points only after the user is logged in (so there’s an authenticated session) or following the latest version to get the results and do the SSR first

What’s your case exactly?

Othman · December 11, 2023, 3:43pm

I won’t be using my Global Admin key on the client side for sure. This is just to retrieve the metadata for a user with a researcher role.

I tried to plug in the credentials using the same format but with the keys of my researcher accounts and it returned Omeka S encountered an error To learn how to see more detailed information about this error, see the Omeka S User Manual page on retrieving error messages.

i want it to return the metadata for that specific user when called.

tsampoulatidis · December 11, 2023, 3:58pm

Can’t tell for sure but I think /api/users/ endpoint is not allowed for researcher role…
Maybe a more experienced omeka member can elaborate on this.

Not sure either what happens if you specify the user id (e.g. /api/users/123)

Othman · December 11, 2023, 4:11pm

that just says permission denied for the current user.
I tried using the researchers credentials and it showed me the full list of users.

jflatnes · December 12, 2023, 8:54pm

The API doesn’t allow anonymous access to the user resources, and if you’re not passing credentials, you’re anonymous. The API only works with the passed keys to authenticate the user, regardless of if you’re logged in to the regular web interface.

A forthcoming version will add a different read-only “api-local” endpoint that does use the auth login cookie, to make it simpler to get privileged information via the API for a logged in user.

Othman · December 14, 2023, 8:28am

Hey John,

I am passing the key_identity and the key_credential for the researcher into /api/users?key_identity=xxx&key_credential=yyy, and I am still getting a list of all the users in my omeka instance.
Is there any way I can get the researchers metadata, like the name for instance, and not use that same key to get all the users my issue will be solved. This provides safety for everyone my omeka instance.

jflatnes · December 14, 2023, 5:34pm

/api/users is always a list of users. If you want to just get a specific one, you need to have an ID there at the end of the URL, /api/users/ID.

Researchers still have permission to see the other users’ info, just not to edit anything.